I am trying mtls authentication in MQTT. I am using mosquitto to achieve this. When I created a server and client certificate from the same CA then the connection was successful. But if I use a different CA for creating a client certificate then it's failing with the below message

Client null sending CONNECT
OpenSSL Error[0]: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Error: The connection was lost.

Is it mandatory to use the same CA for both client and server certificates in mtls?

Mosquitto.conf

listener 8883
certfile C:\\server.crt
keyfile C:\\server.key
require_certificate true
cafile C:\mqtt-ssl-demo\ca.crt
allow_anonymous true

Running broker using

mosquitto -c "C:\Program Files\mosquitto\mosquitto.conf"

Subscribe with a client with a certificate signed by server cert ca [SUCCESS]

mosquitto_sub --cafile C:\mqtt-ssl-demo\ca.crt -t test -d -h Computername -p 8883 --cert C:\mqtt-ssl-demo\client.crt --key C:\mqtt-ssl-demo\client.key

Subscribe with a client with a certificate signed by other ca [FAILURE]

mosquitto_sub --cafile C:\mqtt-ssl-demo\ca.crt -t test -d -h Computername -p 8883 --cert C:\mqtt-ssl-demo\otherclient.crt --key C:\mqtt-ssl-demo\otherclient.key

Created certificate using Mosquitto SSL Configuration -MQTT TLS Security

CodePudding user response：

The important thing to realise here is that the CA file passed to the broker as part of it's config is used to verify the certificate of any connecting clients.

Where as the CA file passed to the client (mosquitto_sub) is used to verify the certificate the broker presents.

So if you are using different CAs then these files need to be different, it's not clear from what you've posted which CA certs you are using where.